looking for IDS's based on network behavior analysis

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View
Hello all!



I'm doing a comparative study amongst IDS's that works with Network
Behavior Analysis (NBA) also known as Traffic Anomaly Based and I
would like to know if any of you guys suggest some tools for my work,
or a list, preferentially.

The desirable qualities are:



- not commercial (at least with an evaluation period)

- can work in off line mode with trace repositories (not necessarily)



If anybody wants to change some information plz contact me, I can also
show what I've got until now...



Thanks a lot!



Gustavo


Re: looking for IDS's based on network behavior analysis
Quoted text here. Click to load it


Check this new software-only NBA system: http://www.akmalabs.com

Al


Re: looking for IDS's based on network behavior analysis
Gustavo wrote:

Quoted text here. Click to load it


I'd recommend you to do a comparative study for running or not running such
an IDS at all. For most companies the practical trial has shown that running
such an IDS requires a lot of effort, at least two full-time hired
professionals and achieving very little security.

Better wait 10 years until the log analysis have improved to a sufficient
level of intelligence on automation.

Re: looking for IDS's based on network behavior analysis
Consider an IPS (Intrusion Prevention System). Some are IDSs with some
expanded functionality and others are ground up built to go in-line.
Check latency and throughput along with attack coverage and timeliness.

IDSs are OK if as noted below you have lots of time OR have a specific
need for forensics analysis (but at the cost of actually stopping anything).

Some IPSs have integrations with NBAD vendors such as Mazu or Lancope.
NBAD is good for the "low and slow" attacks and IPS for standard network
security.

Good Luck.

-BG

Sebastian G. wrote:
Quoted text here. Click to load it

Re: looking for IDS's based on network behavior analysis
Quoted text here. Click to load it
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

That's not entirely correct with modern NBADs. Yes, the old ones
suffered this problem but
many modern ones have a "resolution" as high as 1 minute. I'd not call
it too slow.
As such, they're valuable additions to IDS/IPS  defenses (that have
their shares of problems too).

Best,

S.


Site Timeline